[OpenWrt-Users] Making a transparent proxy apply to only some connected devices

Thu, 02 Apr 2015 03:20:34 -0700 

With Privoxy running at port 8118 with some ad-blocking filters, I
wanted to have my router automatically block ads for devices that
connect to the web through it, so I used the following firewall rule
that has been widely recommended:

         config redirect
         option proto 'tcp'
         option target 'DNAT'
         option dest 'lan'
         option _name 'transparent DNAT proxy for HTTP'
         option src 'lan'
         option dest_port '8118'
         option src_dport '80'
         option src_ip '!192.168.1.1'

That works as expected, users don't see ads. However, a couple of my
devices are laptops that run their own Privoxy ad-blocking setup, so I
do not want their traffic to be pointlessly sent through Privoxy on the
router. I want their traffic to go straight on to the web. I thought I
could ensure this through extending the src_ip option to specify those
devices' IP addresses with an ! before them:

       config redirect
       option proto 'tcp'
       option target 'DNAT'
       option dest 'lan'
       option _name 'transparent DNAT proxy for HTTP'
       option src 'lan'
       option dest_port '8118'
       option src_dport '80'
       option src_ip '!192.168.1.1 !192.168.1.2 !192.168.1.3'

Unfortunately, this doesn't work. The devices connected to the router
with those IP addresses continue to get their traffic sent through the
router's Privoxy. (This is easily verified: if I kill the Privoxy
process running on the router, those devices lose all web access.)

So, what is the right way of expressing a rule that traffic from devices
with IP addresses 192.168.1.2 and 192.168.1.3 should have their port 80
traffic sent straight on to the web, while everyone else should be sent
through Privoxy on the router's port 8118?

I should note that I also have IPv6 activated on the local
network. Would I need to specify devices' IPv6 addresses in rules as
well, or is OpenWRT intelligent enough to realize that IPv4 addresses in
firewall rules should apply to devices that use that IPv4 address and
additionally various IPv6 addresses?
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users

Reply via email to